Sysprep, Machine SIDs and Other Myths

re: Sysprep, Machine SIDs and Other Myths

Tim M — Mon, 04 Mar 2013 01:25:49 GMT

Hi,

I'm attempting to determine the implications of testing DR scenarios for server systems. If storage replication is used from the active site to the passive site, and we want to test the DR plan by turning on the passive site servers while the active is still running (changing IPs)... will this cause an issue? Obviously, everything about the computer will be identical except for the IP address.. we're essentially cloning it.

Now, if the duplicate Domain SID issue is purely related to security, I'm not concerned about that. The passive DR instance should have the same permissions as its active instance anyway. And if it's an actual DR scenario, there would be no difference from test other than there would be only one server accessing the domain and other applications at a time.

The only issue I can see with this is the DR (passive) instance registering with DNS and changing the IP. I suppose we could disable that somehow, perhaps by firewall, etc.

How is this handled typically? Any insight is greatly appreciated...

re: Sysprep, Machine SIDs and Other Myths

Michael Murgolo — Thu, 21 Feb 2013 16:56:45 GMT

Andrew,

I assume you are asking about whether PersistAllDeviceInstalls could be used on VMware virtual machine. As long as the attached virtual hardware was identical between the VM where Sysprep was run (the "template") and the deployed VM, the you should be able to use that.

Michael Murgolo

re: Sysprep, Machine SIDs and Other Myths

[url=http://onchannel.net]Andrew[/url] — Thu, 21 Feb 2013 11:52:38 GMT

can this be done on a vmware machine?

re: Sysprep, Machine SIDs and Other Myths

Michael Murgolo — Mon, 10 Sep 2012 20:49:15 GMT

Monk147 - Running Sysprep multiple time is generally not recommended due to issues that can occur. Please read this blog post: blogs.technet.com/.../sysprep-skiprearm-and-image-build-best-practices.aspx.

Marcus - Yes, Sysprep does have some inconvenient behavior but it is the only way to assure that any clone that is deployed is in a supported state when it is started. You can avoid PnP re-detection by using PersistAllDeviceInstalls in Unattend.xml: technet.microsoft.com/.../ee832798(WS.10).aspx.

Michael Murgolo

re: Sysprep, Machine SIDs and Other Myths

Marcus Bogenstaetter — Mon, 10 Sep 2012 18:27:42 GMT

I strongly agree with A.J.!!!

For me, it seems to be full intention of Microsoft, to make things difficult and work against K.I.S.S. It COULD be SO EASY to deploy an identical OS image to IDENTICAL (maybe virtual) hardware, but running sysprep is making a magic box out of it, not being able to take any influence of what is REALLY required.

Maybe, I do not want to trigger PnP detection, or do not want to delete local users or any specific thing. But being forced to using sysprep does not give you any choice. And what is even worse: Even sysprep has (or had) bugs, e.g. the WSUS issue, because one SID is not enough.

One problem I do understand: The OS could already be activated ...

Just my five cents ...

Marcus

re: Sysprep, Machine SIDs and Other Myths

Monk147 — Wed, 07 Jul 2010 19:12:34 GMT

As part of a team that creates Enterprise SOEs (Sysprep Resealed) that are then provided to regional Field services personal who then add region specific content we are finding that they are using Disk Cloning. What they are doing is taking a completed build, adding content, then re-running sysprep reseal. They would then capture that image and deploy it to like devices. Is it appropriate for them to be running Sysprep Reseal on an instance of the OS that has already been resealed?

I have not been able to find Microsoft support statement on running Sysprep reseal multiple times on a given instance of an OS. In a conversation I had several years ago with a Microsoft engineer that we had in to help he specifically told me that it was not recommended or supported.

Thanks for taking the time to read this.

re: Sysprep, Machine SIDs and Other Myths

Slava Olchevski — Tue, 02 Feb 2010 20:55:09 GMT

Hello Michael.

Thank you for your article. I do need your help. I am almost in the same situation that Craig Williams described. Up until recently, I did not have any problems in using sysprep to "reseal" my images. We have a variety of IBM thinkpads and I have to update the cloned images regularily with updates, etc.

What happens now with ThinkPad T60 image is that after I "reseal" the computer with all new updates and patches, as soon as I go through the initial setup and login for the first time, I am unable to see "Windows IP Configuration". It is just blank - it doesn't show any adapters, it doesn't say "Media disconnected", nada. Although, in "Device Manager" I can see all network adapters and they are also present in "Network Connections"...

I was, unsuccesfully recetting TCP/IP stack, applied WinsockFix, etc to no avail. I exported registry keys (HKLM/SYSTEM/CurrentControlSet/Services/Rcpip

and HKLM/SYSTEM/CurrentControlSet/Control/Network

from a working machine and imported them into freshly sysprep'ed - that didn't work either.

I am at the end of my wits! Please, help.

Thank you.

re: Sysprep, Machine SIDs and Other Myths

Michael Murgolo — Mon, 25 Jan 2010 15:37:50 GMT

Artem,

It will depend upon what your goals are. If you are trying to do all of the following, then rejoining the existing account makes sense.

• Keep the existing computer name.

• Preserve the existing computer account direct resource access.

• Preserve the existing computer account group membership (for resource access via group membership and Group Policy security group filtering).

• Preserve container (OU) location

If you wish to do none of this, then deleting the old account and creating a new one may make more sense.

Where it gets tricky is if you only want to do some of the above items. For example, supposed you want a new computer name and a new OU location for the account while preserving the group membership. Then there are several ways you can do this. You could script a rename and move of the existing account after the old OS has been shut down for the last time but before the new OS join occurs. (You would use this method if you needed to preserve access to resources ACLed directly with the computer account.)

Alternately, you could capture the computer group membership while in the old OS delete the account (here’s an example of that - http://blogs.technet.com/deploymentguys/archive/2009/06/19/setting-ad-computer-object-mdt-properties.aspx), create the new account in the correct OU on join, and write a script to restore the membership to the new account.

Michael Murgolo

re: Sysprep, Machine SIDs and Other Myths

Pronichkin — Sun, 24 Jan 2010 11:54:02 GMT

Hi Michael and thank you for your article.

I'd like to go little beyond the SIDs themselves and talk about computer accounts in AD. Lot of customers use to decommission old PCs, deploy new PS using old names and attach them to old computer accounts in AD. Do you believe that's a safe practice or it's better to reset/delete old computer accounts and create new ones?

Thanks in advance

re: Sysprep, Machine SIDs and Other Myths

A. J. — Wed, 13 Jan 2010 12:31:28 GMT

Althou I do understand sysprep need, but having using Altiris to clone WinXP computers it really means that I save *ALOT* of time when I simply clone computer by making a "perfect" sample computer with perfectly setupped user (In school envoroment with 21 computers, all using same username "Student", no AD) and then simply taking a snapshot of computer and multicasting it to other computers. It was fast and easy way. Altiris had sysgen that made changes to computers so there would not be dual SID's.

Using Sysprep resets so many setup tasks in computers (f.ex. notorious IE 8 "kazillion" steps to start browing, all small little details in other computers) and now in our Win7's it destroys f.ex. Display drivers which means that after almost installing all compueters by hand (sysprep destroys so much ..) I have to reinstall drivers also.

Is there ANY way to get back to old ways of simple and fast procedure of cloning and setting up or are we forced to use 20th century tools and ineffentiel ways?